On the structure of the Schur squares of Twisted Generalized Reed-Solomon codes and application to cryptanalysis (2412.15160v2)

Abstract: Twisted generalized Reed-Solomon (TGRS) codes constitute an interesting family of evaluation codes, containing a large class of maximum distance separable codes non-equivalent to generalized Reed-Solomon (GRS) ones. Moreover, the Schur squares of TGRS codes may be much larger than those of GRS codes with same dimension. Exploiting these structural differences, in 2018, Beelen, Bossert, Puchinger and Rosenkilde proposed a subfamily of Maximum Distance Separable (MDS) Twisted Reed-Solomon (TRS) codes over $\mathbb{F}_q$ with $\ell$ twists $q \approx n^{2^{\ell}}$ for McEliece encryption, claiming their resistance to both Sidelnikov Shestakov attack and Schur products--based attacks. In short, they claimed these codes to resist to classical key recovery attacks on McEliece encryption scheme instantiated with Reed-Solomon (RS) or GRS codes. In 2020, Lavauzelle and Renner presented an original attack on this system based on the computation of the subfield subcode of the public TRS code. In this paper, we show that the original claim on the resistance of TRS and TGRS codes to Schur products based--attacks is wrong. We identify a broad class of codes including TRS and TGRS ones that is distinguishable from random by computing the Schur square of some shortening of the code. Then, we focus on the case of single twist (i.e., $\ell = 1$), which is the most efficient one in terms of decryption complexity, to derive an attack. The technique is similar to the distinguisher-based attacks of RS code-based systems given by Couvreur, Gaborit, Gauthier-Uma~na, Otmani, Tillich in 2014.

• The paper demonstrates that Twisted Generalized Reed-Solomon codes can be distinguished from random codes using Schur squares, disproving a prior resistance claim.
• For TGRS codes with a single twist ( l = 1), the paper develops a novel polynomial-time cryptanalytic attack with O(q l l l n l l l l ) operations.
• The paper provides a rigorous analysis of attack probabilities, solidifying findings and highlighting the need to reassess parameter selection and security assumptions for TGRS-based cryptosystems.

Overview of the Paper on Schur Squares of Twisted Generalized Reed-Solomon Codes and Cryptanalysis

The discussed paper explores the structural and cryptanalytical properties of Twisted Generalized Reed-Solomon (TGRS) codes. Specifically, it explores the use of Schur squares for analyzing these codes and proposes a new method to distinguish TGRS codes from random linear codes, providing significant implications for their use in cryptographic applications.

Cryptanalysis Context

The McEliece cryptosystem, an established public-key cryptosystem, traditionally based on Goppa codes, has seen proposals for using other families like Reed-Solomon codes due to their efficient decoding algorithms. However, generalized Reed-Solomon (GRS) codes were shown to be insecure due to structural attacks such as those by Sidelnikov and Shestakov. Twisted Reed-Solomon (TRS) and Twisted Generalized Reed-Solomon (TGRS) codes were introduced as potential alternatives, purportedly resistant to classical attacks and providing advantages such as smaller key sizes for a given security level.

In 2020, Lavauzelle and Renner introduced an efficient key-recovery attack on TRS as proposed in prior works, based on identifying specific structures within the subfield subcodes. The present paper builds upon these interactions by further challenging the security assumptions of the TGRS codes described in prior claims.

Main Contributions

1. Distinguishability from Random Codes: The paper disproves the claim that TRS and TGRS codes can resist attacks based on the Schur product. By computing the Schur square of certain shortenings of these codes, the paper demonstrates that TGRS codes can indeed be distinguished from random codes under certain conditions. This result holds particularly when the number of twists, $\ell$, is reasonably small, which is typical for practical cryptographic implementations due to computational constraints in decoding.
2. Cryptanalytic Attack for $\ell = 1$: For TGRS codes where there is a single twist ($\ell = 1$), the paper develops a novel polynomial-time attack. This attack leverages the reduced complexity of distinguishing a class of codes via Schur squares and shortens the code even further if necessary, drawing a path for key recovery. The derived attack runs in $O(q^3 n^4)$ operations.
3. Enhanced Probability Analysis: Extending prior heuristic methods, this paper provides a rigorous analysis of the success probability of the attacks on GRS-based cryptosystems. By doing so, it grounds the attack in provable terms for a range of parameters that encompass practical settings defended by prior literature. It also eliminates the reliance on heuristic arguments, solidifying the results within defined probability bounds.

Implications and Future Outlooks

The implications of this research stretch across the fields of code-based cryptography and post-quantum secure systems. Cryptosystems based on seemingly robust algebraic structures like TGRS and related codes must be revisited with caution regarding their vulnerability to modern cryptanalytic methods.

The paper stipulates critical considerations for parameter selection in TGRS-based cryptosystems. Notably, with $\ell$ valued in $O(1)$ for practical solvers, the foundational vulnerabilities in the structure can be exposed, indicating the continuous need for diversified security assessments.

Further developments could explore the threshold parameters and alternate modifications in TGRS construction that genuinely yield security beyond known attack vectors. Overall, this paper serves as a pivotal insight into guarding against overconfidence in algebraic defenses and underscores the necessity for adaptability and extensive cryptanalytical vetting in proposed encryption schemes.